The Privacy/Untraceability Sweet Spot

[Tim May]

I'm writing a lot today. These last several days, actually. Maybe I got 
enough sleep, maybe the debate about how CFP has been taken over by the 
droids is inspiring me, maybe it's because I can't wait until I can get 
these drawings (talked about later) up on my soon-to-appear "virtual 
whiteboard" Web site. Whatever, what follows here (I'm writing this 
intro last) is probably one of the most important essays I've written in 
recent months. If most of you disgree, I'll know I'm truly out of touch.

On Saturday, August 25, 2001, at 08:25 PM, Declan McCullagh wrote:

> On Sat, Aug 25, 2001 at 05:44:39PM -0700, Tim May wrote:
>> I won't pay these rates for _any_ conference. Greg Broiles hit the nail
>> on the head: the only ones worth paying for are the ones with 
>> short-term
>> economic payoff. For CFP, this probably means law firms hoping to get
>> some business, or hoping to recruit some lawyers.
>
> CFP is still worth attending, but more as a social event nowadays.
> It's started to become a corporate-privacy-officer conference. I was
> chatting two weeks ago with a friend who's a CPO at one of the
> valley's largest firms and my friend was talking about suggesting a
> panel on "how firms can comply with european data directive stuff."
> Not unimportant in a practical sense, but hardly interesting, or
> cypherpunkish.

So I guess my candidate submission for the P.E.T. workshop might not be 
well-received: "BlackNet; Case History of a Practically Untraceable 
System for Buying and Selling Corporate and National Secrets."

The whole notion of "Chief Privacy Officers" shows how ridiculous things 
have become. For several obvious reasons we've talked about many times.

(And the notion that companies like ZKS will survive by reinventing 
themselve as privacy consultants to comply with privacy laws is equally 
silly. Hint: Whatever companies need to meet privacy "laws" in Europe, 
Asia, and North America doesn't have much to do with PipeNets and 
extremely robust systems for high-bandwidth communication.)

But I guess the vanished occupations of "Web Master" and "Web Mistress" 
had to morph into something equally silly.

PLOTTING THE COSTS AND BENEFITS OF UNTRACEABILITY

Look, this is all part of something I talked about at the June physical 
meeting in Berkeley: by failing to acknowledge the "high-value" markets 
for untraceability, characterized by such things as Swiss bank accounts 
and income-hiding, porn-trading rings, and information markets, the 
whole technology of privacy/untraceability gets ghettoized into 
low-value markets like "untraceable subway tokens" (wow, gee!), weak 
versions of proxy surfing tools, and boring attempts to get people to 
use digital money for things they don't mind using Visa and PayPal for.

At the June meeting I drew a graph which makes the point clearly. A pity 
I can't draw it here. (Yeah, there are ways. My new Web page should have 
some drawings soon. But this list is about ASCII.)

Plot "Value of Being Untraceable in a Transaction" on the X-axis. This 
is the perceived _value_ of being untraceable or private. Start with 
"little or nothing," proceed to "about a dollar" then to "hundreds of 
dollars" then to "thousands" then to "tens of thousands and more."  (The 
value of being untraceable is also the cost of getting caught: getting 
caught plotting the overthrow of the Crown Prince of Abu Fukyou, being 
outed by a corporation in a lawsuit, being audited by the IRS and them 
finding evaded taxes, having the cops find a cache of snuff films on 
your hard disk, and so on.)

Some examples: People will demonstrably get on planes and fly to the 
Cayman Islands to open bank accounts offering them untraceability (of a 
certain kind). It is demonstrably worth it to them to pay thousands, 
even tens of thousands, of dollars to set up shell accounts, dummy 
corporations, Swiss bank accounts, etc. For whatever various and sundry 
reasons. (They may be Panamanian dictators, they may be Get Rich Quick 
scamsters, they may be spies within the FBI or CIA.) They expect a 
"value of untraceability" to be high, in the tens or hundreds of 
thousands...or even much higher. Even their lives. Call this the "Over 
$100K" regime.

I cite this because it disputes directly the popular slogans: "People 
won't pay anything for privacy or untraceability." (In fact, people pay 
quite large sums for privacy and untraceability. Ask Hollywood or 
corporate bigshots what they pay not to be traced.)

People will also pay money not to be traceable in gambling situations. 
They gamble with bookies, they fly to offshore gambling havens, and so 
on. The _value_ to them is high, but not at the level above. If they're 
caught, they face tax evasion charges, maybe. Call this the "$1K-10K" 
regime. (The spread is wide, from low-rent bookie bets which even the 
IRS probably doesn't care much about to schemes to avoid large amounts 
of tax.)

At lesser levels, some choose to pay cash for their video tape rentals 
(with deposits arranged) just to avoid leaving a paper trail. (Bet 
Justice Thomas wishes he had.)

And then at very low levels there are the cases where the benefits of 
untraceability are worth little or nothing to most people. I call this 
the "millicent ghetto." Actually, the ghetto begins down at around a 
dollar or less. Sadly, a huge number of the proposed "untraceable 
digital cash" systems are targetted at uses deep down in this ghetto. 
(Perhaps because they have no hint of illegality?)

On the Y-axis. Plot here the _costs_ of achieving untraceability for 
these levels of achieved. This is the cost of tools, of using the tools, 
of delays caused by the tools, etc. For example, flying to the Cayman 
Islands to personally open a bank account may cost a couple of days in 
time, the airfare, and (more nebulously) the possible cost of having 
one's photograph taken for future use upon boarding that plan for 
Switzerland or the Caymans.

Lesser costs, but still costs, would be the costs of using Freedom (much 
frustration, say most of my friends who have tried to use it), the costs 
of getting a Mark Twain Bank digital cash account and actually having it 
work the way it should, and just the overhead/costs of using PGP.

Now on this X-Y graph plot the "blobs" where benefit/cost clouds of 
points are found. The 45-degree line is where the "costs" equal the 
"benefits." (These values change somewhat in time, of course, but the 
general point is still clear I expect.) Anything _below_ this 45-degree 
line is "cost effective": benefits > costs. Anything _above_ this line 
is NOT cost-effective: costs > benefits.

(In the economics of black markets, or illegal activities, we can expand 
these terms a bit. For example, "costs = costs of being caught x chance 
of being caught." An illegal action which will result in a $100K fine 
but which is only expected to be caught 1% of the time has a resultant 
cost of $1K. This is the "expected cost." Obviously, the idea of crypto 
and untracebility tools is to alter the equation by reducing the chance 
of being caught.)

RATIONAL ACTORS

The obvious point is that rational actors never pay more for 
untraceability than they get back in perceived benefits. Someone will 
not pay $1000 for privacy/untraceability technology or tools that only 
nets them $500 in perceived benefits.

They won't spend $1.00 in tools to net them 10 cents in perceived 
benefits.

THE SWEET SPOT

The "sweet spot" for privacy/untraceability tools is out of the 
"millicent ghetto" so much of the focus has beenon, and is even out of 
the "private Web surfing to avoid company tracing" ghetto, roughly at 
the tens of dollars levels. (It is hard to imagine how the "cost" of 
having Pillsbury know your baked good preferences is more than some 
trivial amount. This is the "ghetto" of low value transactions. However, 
not having the FBI know your are interested in "Lolita" images can be 
worth many hundreds of thousands of dollars in terms of avoided jail 
time, fines, loss of employability, etc.

(Do I think many pedophiles will, accordingly, pay hundreds of thousands 
for technologies to make them untraceable? Of course not, for reason 
psychologists are familiar with. But they'll pay some amount, and that 
amount may dwarf the aggregate value of what all of the "millicent 
ghetto" dwellers will pay. Interestingly, ZKS Freedom as ORIGINALLY 
SPECCED would have provide this "pedophile-grade untraceabilty" (to coin 
a phrase). Does it now? I don't think so, from what I hear from Wei Dai, 
Lucky Green, and from words coming out of ZKS. Apparently they are not 
planning to focus on these "high value" areas.)

Things start to get "interesting" at the thousands of dollars for tools 
for tens or hundreds of thousands of dollars in benefits. (By the way, 
the same applies to crypto per se. The military has "crypto specialists" 
and "crypto shacks" on board ships. But these cost a lot of money in 
training, procedures, and equipment. Millions of dollars a year for a 
ship, for example. Do the math. Real crypto is more than just strength 
of algorithms and keys: it's this economic trade-off. Too much of "why 
don't people use crypto more?" whines fails to see this basic point.)

The "sweet spot" often, practically by definition, involves putatively 
illegal activities: child porn, plotting revolution in Saudi Arabia, 
selling corporate secrets, distributing banned materials, etc. Only in 
these situations are the "costs of failure to be untraceable" high 
enough to make spending money and time learning to be untraceable 
worthwhile. It is not surprising that "those with nothing to hide" tend 
to put their money into their local bank branches under their own names 
while "those with something to hide" tend to open Swiss bank accounts.

Again, draw this region as a blob far to the right on the X-axis and, we 
hope, not very high up on the Y-axis. Meaning, advances in crypto, 
remailers, digital money, etc. will make this "sweet spot" truly sweet.

CORPORATIONS AND ACADEMICS FOCUS ON THE "GHETTO" NEAR THE ORIGIN

Still, corporations and academics focus on the "near the origin" blobs: 
millicent payment schemes, slight Web surfing untraceability tricks, 
subway tokens, etc. Because to focus on the real sweet spot is to admit 
to working on crypto anarchy, untraceable revolutionary cells, child 
porn rings, all that good happy stuff. The stuff people want to be 
untraceable for--and are willing to pay for.

This is the failure of nerve that all corporations and "reputable" 
academics face.


CONCLUSION:

To really do something about untraceability you need to be untraceable.

Draw this graph I outlined. Think about where the markets are for tools 
for privacy and untraceability. Realize that many of the "far out' sweet 
spot applications are not necessarily immoral: think of freedom fighters 
in communist-controlled regimes, think of distribution of birth control 
information in Islamic countries, think of Jews hiding their assets in 
Swiss bank accounts, think of revolutionaries overthrowing bad 
governments, think of people avoiding unfair or confiscatory taxes, 
think of people selling their expertise when some guild says they are 
forbidden to.

Most of all, think about why so many efforts to sort of deploy digital 
cash or untraceability tools have essentially failed due to a failure of 
nerve, a failure to go for the brass ring.


--Tim May